SDX 6.4.x Services and Policies Guide > Policy Management Overview
> Using Global and Local Parameters
Using Global and Local Parameters
Policy definitions that you create with Policy Editor are templates that the policy engine uses to construct policies that the SAE installs on the router or provisions on the CMTS device. When you fill in fields in the policy template, you can assign specific values or parameter values. Before it creates a policy for installation on the router, the policy engine substitutes parameter values with specific values. The policy engine uses the parameter value acquisition process to obtain the specific values. For information about parameter value acquisition, see Generating Policies by Specifying Parameters.
Policies can use global or local parameters:
- Global parameters—Are available to use in any policy. Global parameters are displayed in drop-down lists for the fields in which you can use them. With global parameters, you can define parameters once and then reuse them in many policies. Typically, global parameters are not changed often, and if changes are necessary, local parameters are used.
Global parameters are located in the Parameters repository in Policy Editor. If you select the Parameters folder, Policy Editor displays a table of all global parameters. See Figure 15.
- Local parameters—Are available only for the policy group in which the parameter is defined.
In Policy Editor, the 
icon appears next to fields that can take parameters.
Viewing Global Parameters
In Policy Editor, global parameters are held in the Parameters repository. To view global parameters, expand and select the Parameters folder in the Policy Editor navigation pane. In Figure 15, the Runtime Parameters folder is selected, which causes all parameters in that folder to appear in the parameter summary table. To view a specific parameter, select the parameter in the navigation pane.
Figure 15: Parameter Folder Holds Global Parameters
Viewing Local Parameters
When you create a policy group, Policy Editor automatically creates a Local Parameters folder inside the policy group. To view all local parameters for a policy group, select the Local Parameters folder in the navigation pane. (See Figure 16.) All local parameters that you create within the policy group are displayed in a summary table in the ParameterFolder pane. To view a specific parameter, select the parameter in the navigation pane.
Figure 16: Local Parameter Folder
Parameter Types
Global and local parameters are assigned a type. (Note that the term type is used in Policy Editor, and the term role is used in SDX Admin. Both terms have the same meaning.) The type indicates in which Policy Editor fields you can use the parameter. For example, address is a type of parameter. Wherever there is a field for which you can specify an address, a drop-down list displays all of the global parameters of type address as well as local parameters of type address that are defined in the policy group in which you are working. Figure 17 shows a drop-down list of global and local parameters for parameter type address.
Figure 17: Drop-Down List of Local and Global Address Parameters
There are isolated cases in which a global parameter value appears in the drop-down list, but because of the context, the value does not make sense to use. For example, in NAT actions, the global parameter any appears in the IP Network field. In this context, any is not a valid value.
Policy Editor provides many predefined built-in parameters and runtime parameters. Runtime parameters are parameters that are filled in with an actual value from the running system when the policy is installed on the router. For example, the interface_speed parameter is filled in with the actual speed of the router interface. You cannot change the values of built-in or runtime parameters.
Table 13 lists the parameter types, the predefined parameters for each type, the policy objects in which you can use the parameter type, and how the type is used.
Table 13: Parameter Types (or Roles)
|
|
|
|
|---|
address
|
gateway_ipAddress
interface_ipAddress
service_ipAddress
user_ipAddress
virtual_ipAddress
|
Classify-traffic condition
Next-interface action
Next-hop action
|
IP addresses in dotted decimal notation.
|
addressMask
|
interface_ipMask
service_ipMask
user_ipMask
|
Classify-traffic condition
|
IP masks in dotted decimal notation.
For JUNOSe policies and JUNOS policies (except for firewall policies), a mask must be equivalent to some prefix length. For example, 255.255.255.0 is allowed, but 255.255.255.1 is not. Policy Editor checks this constraint for default parameter values, but not for any other substitution values until runtime when the policy engine constructs the policy.
|
allowIpOptions
|
|
Classify-traffic condition
|
|
any
|
|
|
The set of all values.
|
applicationProtocol
|
bootp, dce_rpc, dce_rpc_portmap, dns, exec, ftp, h323, green, icmp_app, iiop, netbios, netshow, realaudio, rpc, rpc_portmap, rtsp, shell, snmp, sqlnet, tftp, traceroute, winframe, yellow
|
Classify-traffic condition
(Predefined parameters map protocol numbers to synonyms.)
|
|
bandwidthSizeUnit
|
bps
percent
|
Policer action
|
|
boolean
|
false
true
|
|
|
burst
|
|
Rate-limit action
Policer action
DOCSIS action
|
Burst sizes. The range is 214—232-1.
|
dceRpcUuid
|
|
Classify-traffic condition
|
|
dropProfileProtocol
|
any_protocol
non_tcp
tcp_only
|
Scheduler action
|
|
dropProfileType
|
interpolated
segmented
|
Scheduler action
|
|
forwardingClass
|
|
Classify-traffic condition
QoS condition
|
|
fragOffset
|
|
Classify-traffic condition
|
The value of the fragment offset field of IP packets.
For JUNOSe routers:
- eq 0—Equal to 0
- eq 1—Equal to 1
- gt 1—Greater than 1
- any—Any value
For JUNOS routing platforms and PCMM policies, integer in the range 0-8191.
The policy engine and Policy Editor validate these values; the substitution engine does not.
|
grantSize
|
|
DOCSIS action
|
|
icmpCode
icmpType
|
|
Classify-traffic condition
|
8-bit values that represent patterns in the ICMP code and ICMP type fields in IP packets. The policy engine and Policy Editor validate these values; the substitution engine does not.
|
igmpType
|
|
Classify-traffic condition
|
8-bit values that represent patterns in the IGMP type field in IP packets. The policy engine and Policy Editor validate these values; the substitution engine does not.
|
interfaceGroup
|
|
Classify-traffic condition
|
|
InterfaceSpec
|
bfwlf
gfwlf
|
Next-interface action
|
The router interface.
For JUNOSe interfaces, the format is:
'<type of specifier>=<value>'
For example: name='fastEthernet3/0'
For JUNOS interfaces, the format is:
'name= <mediatype>-<slot>/ <pic>/<port>.<unit>'
For example: 'name=AT-0/1/0.0'
|
interval
|
|
DOCSIS action
|
|
ipFlags
ipFlagsMask
|
|
Classify-traffic condition
|
3-bit values that represent patterns for the IP flags field in an IP packet. The high bit is reserved, the middle bit is don't fragment, and the low bit is more fragments.
|
ipSecSpi
|
|
Classify-traffic condition
|
|
IPv4range
|
|
|
|
jitter
|
|
DOCSIS action
|
|
matchDirection
|
both
input
output
|
Classify-traffic condition
|
|
maxLatency
|
|
DOCSIS action
|
|
messageType
|
|
Reject action
|
|
microSecond
|
|
|
|
natTranslationType
|
|
NAT action
|
|
network
|
any
|
Classify-traffic condition
NAT action
|
IP subnets using two forms:
<address>/<mask>
<address>/<prefixLength>
where <address> and <mask> are in the traditional dotted decimal notation
<prefixLength>is a number in the range 0-32, which specifies how many of the first bits in the address specify the network.
In policy conditions, network specifies patterns for the address fields in packets. Networks can be preceded by "not" to indicate that the condition matches every address not in the subnet.
|
networkOperation
|
|
Classify-traffic condition
|
Whether a network field of a packet should match or not match the value specified in a policy condition.
- 0 means does not match
- 1 means matches
|
packetLength
|
|
Classify-traffic condition
DOCSIS action
FlowSpec action
|
|
packetLossPriority
|
any_priority
high_priority
low_priority
|
Loss priority action
|
|
packetOperation
|
|
Rate-limit action
Policer action
Stateful firewall
|
Actions taken on packets.
For rate-limit actions, valid values are: $'forward', $'filter', and $'mark <tosByte> <tosMask>'.
For policer actions, value values are: filter, forwardingClass, lossPriority.
For stateful firewalls, valid values are: filter, forward, reject.
The policy engine and Policy Editor validate these values; the substitution engine does not.
|
percent
|
|
Scheduler action
|
|
policedUnit
|
|
FlowSpec action
|
|
port
|
service_port
|
Classify-traffic condition
NAT action
|
16-bit values that represent patterns in the port fields in IP packets.
|
portOperation
|
eq
neq
|
Classify-traffic condition
|
Whether a port field should match or not match the value(s) specified in a condition. For JUNOSe policies valid values are: $'eq', $'lt', $'gt', $'neq' and $'range'.
For JUNOS the allowed values are:
- 0—Does not match
- 1—Matches
The policy engine and Policy Editor validate these values; the substitution engine does not.
|
prPrecedence
|
|
Policy rule
|
|
protocol
|
ah, egp, esp, gre, icmp, igmp, ip, ipip, ospf, pim, rsvp, tcp, udp
|
Classify-traffic condition
(Predefined parameters map protocol numbers to synonyms.)
|
8-bit values that represent patterns in the protocol field in IP packets. The policy engine and Policy Editor validate these values; the substitution engine does not.
|
protocolOperation
|
is
not
|
Classify-traffic condition
|
Whether a protocol field of a packet should match or not match the value specified in a policy condition.
- 0 means does not match
- 1 means matches
|
qosProfileSpec
|
|
QoS-attachment action
|
Strings in QoS attachment actions that specify QoS profiles. They can be any string that names a QoS profile on the JUNOSe router.
|
rate
|
interface_speed
|
Rate-limit action
Policer action
DOCSIS action
FlowSpec action
Traffic-shape action
|
Rates in the range 0—232-1.
|
rateLimitType
|
one_rate
two_rate
|
Rate-limit action
|
Rate-limit type. The allowed values are $'one-rate' and $'two-rate'. The policy engine and Policy Editor validate these values; the substitution engine does not.
|
requestTransmissionPolicy
|
|
DOCSIS action
|
|
routingInstance
|
|
Routing instance action
|
|
rpcProgramNumber
|
|
Classify-traffic condition
|
|
schedulerBufferSize
|
|
Scheduler action
|
|
schedulerBufferSizeUnit
|
buffer_size_percentage
buffer_size_remainder
temporal
|
Scheduler action
|
|
schedulerPriority
|
high
low
medium_high
medium_low
strict_high
|
Scheduler action
|
|
schedulerTransmitRate
|
|
Scheduler action
|
|
schedulerTransmitRateUnit
|
rate_in_bps
rate_in_percentage
rate_in_remainder
|
Scheduler action
|
|
serviceClassName
|
|
Service class name action
|
|
serviceNumber
|
controlled_load_service
guaranteed_service
|
FlowSpec action
|
|
sessionClassIdPriority
|
|
GateSpec action
|
|
slackTerm
|
|
FlowSpec action
|
|
snmpCommand
|
get
get_next
set
trap
|
Classify-traffic condition
|
|
tcpFlags
tcpFlagsMask
|
|
Classify-traffic condition
|
6-bit values that represent patterns for the TCP flags field in IP packets. The bits from high to low mean: urgent, acknowledge, push, reset, synchronize, finish.
|
timeout
|
|
Classify-traffic condition
|
|
tokenBucketSize
|
|
FlowSpec action
|
|
tosByte
tosByteMask
|
|
Classify-traffic condition
Rate-limit action
Mark action
|
8-bit values that represent patterns in the ToS byte field in IP packets.
When tosByteMask is used in ToS conditions, the allowed values are 0, 224, 252, and 255.
The policy engine and Policy Editor validate these values; the substitution engine does not.
|
traceRouteTtlThreshold
|
|
Classify-traffic condition
|
|
trafficClassSpec
|
|
Traffic-class action
|
Strings in traffic-class actions that specify traffic-class profiles. They can be any string that names a traffic class on the JUNOSe router.
|
trafficPriority
|
|
DOCSIS action
|
|
trafficProfileType
|
best_effort
unsolicited_grant
down_stream
unsolicited_grant_with_activity_detection
real_time
non_real_time
|
DOCSIS action
|
Service flow scheduling type
|
translationType
|
|
|
|
Predefined Global Parameters
Table 14 describes the predefined built-in and runtime global parameters that Policy Editor provides. Only three of the predefined parameters can be modified: any, bfwlf, and gfwlf.
Table 14: Predefined Global Parameters
|
|
|
|
|---|
ah
|
Maps protocol 51 to AH
|
protocol
|
|
any
|
This network matches any address
|
network
|
|
any_priority
|
Sets packet loss priority to "any"
|
packetLossPriority
|
|
any_protocol
|
Sets drop profile protocol to "any"
|
dropProfileProtocol
|
|
best_effort
|
Sets the service flow scheduling type to best effort
|
trafficProfileType
|
|
bfwlf
|
Specifier of the interface that leads to the bronze firewall server
|
interfaceSpec
|
Yes
|
bootp
|
Specifies the BOOTP protocol
|
applicationProtocol
|
|
both
|
Specifies the direction of the policy as input and output
|
matchdirection
|
|
bps
|
Specifies that the indicated bandwidth size is in bps
|
bandwidthSizeUnit
|
|
buffer_size_percentage
|
Specifies that the indicated buffer size is a percentage
|
schedulerBufferSizeUnit
|
|
buffer_size_remainder
|
Specifies that the indicated buffer size is a remainder
|
schedulerBufferSizeUnit
|
|
controlled_load_service
|
Specifies that the type of FlowSpec service is controlled-load service
|
serviceNumber
|
|
dce_rpc
|
Specifies the DCE RPC protocol
|
applicationProtocol
|
|
dce_rpc_portmap
|
Specifies the DCE RPC portmap
|
applicationProtocol
|
|
dns
|
Specifies the DNS protocol
|
applicationProtocol
|
|
down_stream
|
Sets the service flow scheduling type to downstream
|
trafficProfileType
|
|
egp
|
Maps protocol 8 to EGP
|
protocol
|
|
eq
|
Matches packets with a port that is equal to the specified port
|
portOperation
|
|
esp
|
Maps protocol 50 to ESP
|
protocol
|
|
exec
|
Specifies the Exec protocol
|
applicationProtocol
|
|
false
|
Sets Boolean values to false
|
boolean
|
|
ftp
|
Specifies the FTP protocol
|
applicationProtocol
|
|
gateway_ipAddress
|
IP address of the gateway as specified by the service object
|
address
|
Yes
|
get
|
Specifies the get SNMP command
|
snmpCommand
|
|
get_next
|
Specifies the get-next SNMP command
|
snmpCommand
|
|
gfwlf
|
Specifier of the interface that leads to gold firewall server
|
interfaceSpec
|
Yes
|
gre
|
Maps protocol 47 to EGP
|
protocol
|
|
guaranteed
|
Specifies that the type of FlowSpec service is guaranteed service
|
serviceNumber
|
|
h323
|
Specifies the H.323 protocol
|
applicationProtocol
|
|
high
|
Sets the scheduler priority to high
|
schedulerPriority
|
|
high_priority
|
Sets the packet loss priority (PLP) to high
|
packetLossPriority
|
|
icmp
|
Maps protocol 1 to ICMP
|
protocol
|
|
icmp_app
|
Specifies the ICMP protocol
|
applicationProtocol
|
|
igmp
|
Maps protocol 2 to IGMP
|
protocol
|
|
iiop
|
Specifies the Internet Inter-ORB Protocol, a TCP protocol
|
applicationProtocol
|
|
input
|
Specifies the direction of the policy as input
|
matchdirection
|
|
interface_ipAddress
|
IP address of the interface
|
address
|
Yes
|
interface_ipMask
|
IP mask of the interface
|
addressMask
|
Yes
|
interface_speed
|
Speed of the subscriber's IP interface on the router or the speed of the subscriber's DOCSIS interface
|
rate
|
|
interpolated
|
Sets the drop profile type to interpolate
|
dropProfileType
|
|
ip
|
Maps protocol 0 to IP
|
protocol
|
|
ipip
|
Maps protocol 4 to IP-IP
|
protocol
|
|
is
|
Matches packets with the protocol that is equal to the specified protocol
|
protocolOperation
|
|
low
|
Sets scheduler priority to low
|
schedulerPriority
|
|
low_priority
|
Sets packet loss priority to low
|
packetLossPriority
|
|
medium_high
|
Sets scheduler priority to medium-high
|
schedulerPriority
|
|
medium_low
|
Sets scheduler priority to medium-low
|
schedulerPriority
|
|
neq
|
Matches packets with a port that is not equal to the specified port
|
portOperation
|
|
netbios
|
Specifies the NetBIOS protocol
|
applicationProtocol
|
|
netshow
|
Specifies the NetShow protocol
|
applicationProtocol
|
|
non_real_time
|
Sets the service flow scheduling type to NRTPS
|
trafficProfileType
|
|
non_tcp
|
Sets the drop profile protocol to any protocol other than TCP
|
dropProfileProtocol
|
|
not
|
Matches packets with the protocol that is not equal to the specified protocol
|
protocolOperation
|
|
one_rate
|
Sets the rate-limit type to one rate
|
rateLimitType
|
|
ospf
|
Maps protocol 89 to OSPF
|
protocol
|
|
output
|
Specifies the direction of the policy as output
|
matchdirection
|
|
percent
|
Specifies that the indicated bandwidth size is a percentage of bandwidth
|
bandwidthSizeUnit
|
|
pim
|
Maps protocol 103 to PIM
|
protocol
|
|
rate_in_bps
|
Specifies that the indicated transmit rate is in bps
|
schedulerTransmitRateUnit
|
|
rate_in_percentage
|
Specifies that the indicated transmit rate is a percentage
|
schedulerTransmitRateUnit
|
|
rate_in_remainder
|
Specifies that the indicated transmit rate is a remainder
|
schedulerTransmitRateUnit
|
|
realaudio
|
Specifies the RealAudio protocol
|
applicationProtocol
|
|
real_time
|
Sets the service flow scheduling type to RTPS
|
trafficProfileType
|
|
rpc
|
Specifies the RPC UDP or TCP protocols
|
applicationProtocol
|
|
rpc_portmap
|
Specifies the RPC portmap protocol
|
applicationProtocol
|
|
rsvp
|
Maps protocol 46 to RSVP
|
protocol
|
|
rtsp
|
Specifies the Real-Time Streaming Protocol
|
applicationProtocol
|
|
segmented
|
Sets the drop profile type to segmented
|
dropProfileType
|
|
service_ipAddress
|
IP address of the service as specified by the service object
|
address
|
Yes
|
service_ipMask
|
IP mask of the service as specified by the service object
|
address
|
Yes
|
service_port
|
Service port as specified by the service object
|
port
|
Yes
|
set
|
Specifies the set SNMP command
|
snmpCommand
|
|
shell
|
Specifies the Shell protocol
|
applicationProtocol
|
|
snmp
|
Specifies the SNMP protocol
|
applicationProtocol
|
|
sqlnet
|
Specifies the SQLNet protocol
|
applicationProtocol
|
|
strict_high
|
Sets scheduler priority to strict-high
|
schedulerPriority
|
|
tcp
|
Maps protocol 6 to TCP
|
protocol
|
|
tcp_only
|
Sets the drop profile protocol to TCP
|
dropProfileProtocol
|
|
temporal
|
Specifies that the indicated buffer size is temporal
|
schedulerBufferSizeUnit
|
|
tftp
|
Specifies the Trivial File Transfer Protocol
|
applicationProtocol
|
|
traceroute
|
Specifies the Traceroute protocol
|
applicationProtocol
|
|
trap
|
Specifies the trap SNMP command
|
snmpCommand
|
|
true
|
Sets the Boolean value to true
|
boolean
|
|
two_rate
|
Sets the rate-limit type to two rate
|
rateLimitType
|
|
udp
|
Maps protocol 17 to UDP
|
protocol
|
|
unsolicited_grant
|
Sets the service flow scheduling type to UGS
|
trafficProfileType
|
|
unsolicited_grant_with_activity_detection
|
Sets the service flow scheduling type to UGS-AD
|
trafficProfileType
|
|
user_ipAddress
|
IP address of the subscriber
|
address
|
Yes
|
user_ipMask
|
IP mask of the subscriber
|
address
|
Yes
|
virtual_ipAddress
|
Virtual portal address of the SSP that is used in redundant SAE installations
|
address
|
Yes
|
winframe
|
Specifies the WinFrame protocol
|
applicationProtocol
|
|
Naming Global Parameters
A global parameter is stored in the directory with the parameter name as its naming attribute. The directory stores the case for the parameter name; however, the directory does not allow you to create another global parameter with a name that differs only by the use of upper and lowercase letters. For example, if there is a parameter named fastspeed, the directory will not allow the creation of a parameter named fastSpeed without first deleting fastspeed.
Also, when you define a substitution for a global parameter, make sure that the case in the substitution matches the case of the global parameter.
When you perform a SaveAs operation to a directory, the SDX software does not check the names of local parameters in the policy group with the names of existing global parameters in the directory. After the SaveAs operation is complete, the directory may contain global parameters and local parameters with the same names. You will not receive any messages about duplicate names. If local and global parameters have duplicate names, the policy engine uses the local parameter definitions.
Creating and Modifying Global Parameters
If you change global variables for policies, the change takes effect the next time a service is activated; the change does not take effect for active service sessions.
You can create a global parameter from the Parameters folder and from within a policy.
Creating Global Parameters from the Parameters Folder
To create a global parameter from the Parameters folder:
- In the Policy Editor navigation pane, right-click on the Parameters folder, and select New > Parameter.
- In the Parameter Name Dialog box, assign a name to the parameter. This is the name that appears in Policy Editor drop-down menus.
- Select the new parameter in the navigation pane.
The Parameter pane appears.
- Fill in the fields as described in Parameter Definition Fields.
Creating Global Parameters Within a Policy
Policy fields for which you can use parameters have a
icon next to them. To create a global parameter from within a policy:
- Click the
icon next to the field for which you want to create a global parameter.
The Parameter Operation dialog box appears. Existing local and global parameters are listed. You can add, delete, or modify global parameters from this dialog box. You can also add local parameters.
- Click New.
The Parameter Definition dialog box appears.
- Fill in the fields as described in Parameter Definition Fields.
Parameter Definition Fields
Use the fields in this section to configure parameters.
Description
- Description of the parameter. You can provide extra information and examples of how the parameter is used.
- Value—Text
- Default—No value
Caption
- Short description of the parameter.
- Value—Text
- Default—No value
Keywords
- Keywords that you can use to search for a parameter.
- Value—Text
- Default—No value
Default Value
- An optional value that the policy engine uses if no other values are provided during the parameter value acquisition process. If other values are provided to the policy engine but problems are encountered, the default value for the parameter is not used. The policy engine generates an error.
- Value—Valid value for the parameter type; see Table 13 for valid values of each parameter type
- Default—No value
Scope
- Specifies whether the parameter is a global parameter or a local parameter.
- Value
- global—Select to create a global parameter.
- local—Select to create a local parameter.
Type
- Type of attribute for which you can use the parameter. The parameter type determines where you can use the parameter.
- Value—Select from drop-down list. See Table 13 for a description of parameter types.
- Default—No value
Creating and Modifying Local Parameters
When you create a policy group, Policy Editor automatically creates a Local Parameters folder inside the policy group. (See Figure 18.) All local parameters that you create within the policy group are added as objects in the Local Parameters folder. The ParameterFolder content pane also displays a summary table of all local parameters in the policy group.
When you perform a SaveAs operation to a directory server, the SDX software does not check the names of local parameters in the policy group with names of existing global parameters in the directory server. After the SaveAs operation is complete, the directory server may contain global parameters and local parameters with the same names. You will not receive any messages about duplicate names. If local and global parameters have duplicate names, the policy engine uses the local parameter definitions.
Figure 18: Modifying Local Parameters
To modify parameters from the summary table:
- Double-click on a parameter name entry to display the Parameter content pane. Fill in the fields as described in Parameter Definition Fields.
- Type a new value in a Default Value field.
- Click on an entry in the Type column to display a drop-down list of types.
Creating a Local Parameter
There are two ways to create a local parameter.
From the Local Parameter folder:
- Right-click on the Local Parameter folder, and select New > Parameter.
- In the Parameter Name Dialog box, assign a name to the parameter. This is the name that appears in Policy Editor drop-down menus.
The Parameter pane appears.
- Fill in the fields as described in Parameter Definition Fields.
Policy fields for which you can use parameters have a
icon next to them. To create a global parameter from within a policy:
- Click the
icon next to the field for which you want to create a local parameter.
The Parameter Operation dialog box appears.
Existing local and global parameters are listed. You can add, delete, or modify local parameters from this dialog box. You can also add global parameters.
- Click New.
The Parameter Definition dialog box appears.
- Fill in the fields as described in Parameter Definition Fields.
